I tried to do simple 2 WAN setup, which is basically 2 mangle connection mark rules, 2 routing mark rules and 3 routing records, like this:
/ip firewall address-list
add address=192.168.0.0/24 list=LOCAL
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!LOCAL new-connection-mark=c_out_ISP2 src-address-list=Should_go_via_ISP2
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!LOCAL new-connection-mark=c_out_ISP1 src-address-list=LOCAL
add action=mark-routing chain=prerouting connection-mark=c_out_ISP2 new-routing-mark=r_out_ISP2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=c_out_ISP1 new-routing-mark=r_out_ISP1 passthrough=no
/ip route
add distance=1 gateway=WAN-ISP1
add distance=1 gateway=WAN-IPS1 routing-mark=r_out_ISP1
add distance=1 gateway=WAN-IPS2 routing-mark=r_out_ISP2
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=LOCAL
Really easy configuration, but it won’t work. LOCAL is as ACL that includes all local network(s), and Should_go_via_ISP2 is an ACL of which hosts should go over ISP2 link (LOCAL includes hosts that are in Should_go_via_ISP2).
I tried to play with it, and added myself to Should_go_via_ISP2 ACL. To my great surprise the Internet won’t become accessible. As soon as I disabled
add distance=1 gateway=WAN-IPS2 routing-mark=r_out_ISP2
line the internet become ok.
So finally I come to conclusion that if there any extra routing tables that to be used by my host’s traffic then no traffic can go to/from internet.
It is something that шы contrary to my experience: I used to think that ‘named’ routing tables will be used to route packets that are route-marked with names of these routing tables.
So may I finally ask you, gentlemen, what was that that I did wrong? I suspect I missed something important but I can’t find a mistake in my simple setup and start to think that route marks are won’t do right way.
P.S. The device is CCR1016-12G, the ROS was used are 6.30.2 and 6.31rc16 (just to check), the firmware is 3.27.